systemd udev Local Privilege Escalation Vulnerability via Malicious Hardware Devices

A local privilege escalation vulnerability has been identified in the udev component of systemd, affecting versions prior to 260. This vulnerability allows unauthorized users to gain root access by exploiting unsanitized kernel output from malicious hardware devices. The issue arises in udev's helper binaries, 'scsi_id' and 'v4l_id', which parse input from the kernel. Malicious devices can craft specific properties that are sent to userspace without proper sanitization. For example, 'v4l_id' can be manipulated to execute a chosen file as root, while 'scsi_id' can be used to activate systemd units of the attacker's choice, potentially leading to unauthorized access or control.

Impact

Exploitation of this vulnerability allows for local privilege escalation, enabling a user to gain root access on the affected system.

Reproduction

To reproduce this vulnerability, connect a malicious hardware device that can craft specific properties sent to the kernel. For 'v4l_id', the device can be programmed to include a command in the 'ID_V4L_PRODUCT' property, which 'v4l_id' will parse and execute as root. For 'scsi_id', the 'ID_SCSI_SERIAL' property can be manipulated to include a command that activates a systemd unit, such as 'debug-shell.service', which provides a root console.

Remediation

Users can upgrade to systemd versions 260, 259.5, 258.7, or 257.13, all of which include patches for this vulnerability. Alternatively, the v4l and iscsi drivers can be disabled in the kernel.